News

Cyberwar: It’s Not Just Fiction Anymore

Published on July 16, 2011by Arik Hesseldahl

After surviving numerous devastating wars throughout history, humanity is well acquainted with war in the physical realm.

But we’re still unfamiliar with the concept of cyberwar. In 1998, John Arquilla, professor at the Naval Postgraduate School, tried to envision it in a piece for Wired Magazine, The Great Cyberwar of 2002, in which a loose coalition of rogue states, terrorist groups and drug cartels team up to prod the United States into a war with China and Russia by knocking out power grids, blowing up chemical plants and causing airliners to collide in midair.

It was fiction, but the scariest fiction is always based in part on plausible fact.

So what exactly would cyberwar look like in the real world?

It’s an important question to answer now, after the U.S. Department of Defense announced last week that it now considers “cyberspace” — an obviously dated word referring to the Internet and networking computer environments, but which has recently regained currency in government circles — a theater of warfare similar to land, sea, air and space.

In a speech this week at the National Defense University in Norfolk, Va., Deputy Secretary of Defense William Lynn announced that the United States now considers attacks on certain computer networks and systems by foreign powers and terrorists as the equivalent of a traditional attack with guns and bombs. It thus reserves the right to retaliate, both in the cyber-realm or with traditional force.

(You can see Lynn’s speech, which runs about 45 minutes, in the video below, courtesy The Pentagon Channel. And below that I’ve embedded the 19-page policy document.)

The striking declaration raises some fundamental questions about warfare, including: What would war in cyberspace look like? How would it be fought? Would those not directly involved in the fighting even know it’s going on or which side is winning? Would we even know who the enemy is?

We have some hints. At its basest level, we know that unknown parties are probing U.S. government and private networks, stealing what they can and leaving the doors unlocked for future visits.

U.S. officials have complained in private and in public about alleged attacks against government networks and those belonging to defense contractors.

Privately and in diplomatic cables, they most frequently blame China, which has always denied any involvement. An April 21 Reuters story citing U.S. State Department diplomatic cables obtained by WikiLeaks showed officials estimating that hackers working for China’s People’s Liberation Army had stolen terabytes worth of information, and that efforts to put down the attacks, dubbed “Operation Byzantine Hades,” were ongoing.

Overall, the Government Accountability Office says that intrusions on government computer networks have climbed from 5,503 incidents in 2006 to 41,776 in 2010.

The examples are numerous.

In March, the SecurID system made by RSA, a unit of storage giant EMC, came under attack. A subsequent attack was launched against defense contractor Lockheed Martin. The same RSA tokens are widely used at government agencies and at innumerable corporations.

In June, Google disclosed that its Gmail email service had come under attack from someone in China, a claim which that country’s government denied.

And just this month several U.S. Department of Energy facilities — including the Pacific Northwest National Laboratory in Richland, Wash. — severed their connections to the Internet following a series of attacks using “Zero Day” vulnerabilities, which exploit previously unknown weaknesses.

All of these incidents seem to scream out the need for a more active defense, which the new policy is intended to create. To date there’s never been a penalty for attacking U.S. government and private networks, in part because it’s hard to hit back when you don’t know precisely who’s hitting you in the first place.

This is known as the attribution problem.

If you’re able to solve that issue, there are some hints about what a retaliation might look like. Consider Stuxnet: A powerful piece of carefully-targeted malware, supposedly designed by Israel, it burrowed deep via Microsoft Windows into the industrial control computers running Iran’s nuclear centrifuges.

With its target located — it was designed to seek out a specific installation — Stuxnet made those centrifuges, which are used to enrich uranium, spin faster than they were supposed to. The resulting damage set the Iranian nuclear program back by two years or more.

That’s not a bad outcome, perhaps, but Stuxnet opened a Pandora’s box. And while experts who have analyzed it closely have said it would have taken a team of highly skilled programmers several million dollars and several months to design it, you can bet that cyberwarriors in every nation on Earth are combing through the Stuxnet code hoping to build their own version of it. All these could conceivably be used against our own power grids and factories and more.

If we reach a point where we can destroy and disrupt the networks and infrastructure upon which our potential enemies rely and they can do the same thing to us with relative parity, the fear of a devastating reprisal becomes a deterrent to the temptation to launch an attack.

Similar assumptions about nuclear war prevented the Cold War between the U.S. and the Soviet Union from turning hot, and made nuclear war ultimately unthinkable for both sides.

Without electrical power and thus the ability to communicate or conduct commerce, any society breaks down quickly. Consider the thought of six weeks without a working cellphone network, without the ability to access funds in your bank account or without power.

If that scares you — and it should — it should scare our potential enemies just as much, and thus give them pause. That’s the hope, anyway.